Gopher Menu

       ----------------------------------------
       CTRL-ALT-LED keyboard LED attack on airgapped systems
       July 11th, 2019
       ----------------------------------------
       
(HTML) So I saw an interesting article on zdnet earlier about keyboard LEDs
       potentially being used to exfiltrate data on extremely high security
       air gapped systems (essentially systems have no network access).
       
(HTML) Here's a short synopsis of the article:
       > The attack, which they named CTRL-ALT-LED, is nothing that regular
       > users should worry about but is a danger for highly secure environments
       > such as government networks that store top-secret documents or enter-
       > prise networks dedicated to storing non-public proprietary information.
       > The attack requires some pre-requisites, such as the malicious actor 
       > finding a way to infect an air-gapped system with malware beforehand.
       > CTRL-ALT-LED is only an exfiltration method. But once these prerequi-
       > sites are met, the malware running on a system can make the LEDs of an
       > USB-connected keyboard blink at rapid speeds, using a custom transmis-
       > sion protocol and modulation scheme to encode the transmitted data. A
       > nearby attacker can record these tiny light flickers, which they can
       > decode at a later point, using the same modulation scheme used to 
       > encode it.
       
(HTML) Given previous hypotheticals against airgapped systems using hard disk
       drive LEDs, I think it's entirely reasonable that folks using systems
       requiring this much security should make a few changes to prevent 
       exfiltration of information via LEDs... For starters I would remove the 
       keyboard LEDs with an X-ACTO knife, it's a realitively simple operation
       to do.  If users absolutely need a keyboard indication of whether num/
       caps/scroll lock is on, a keyboard manufacturer could easily make old-
       style keyboards with mechanical latches for those keys (you gently press
       your finger on the lock key to see if it's actually locked or not).
       
       Furthermore the HDD LED should be removed for the same reason, and while
       we are at it, the power LED should be removed too.  Before you say that 
       I am mad for advocating power LED removal, hear me out; an external power
       LED can be made by handy engineers with ease: an induction coil attached
       to the incoming mains of the PSU can be wired into an LED (be sure to use
       a filtering capacitor) to determine if the system is powered or not.
       
       Don't take a chance on taping off LEDs, tape can fall off, and some users
       compulsively pick at things. Ugh.
       
       As for me, I'm taking the easy way out: if the data is so important that
       it requires an airgapped system, I'm not going to put it on any of my
       computers to begin with. :)
       ----------------------------------------
 (DIR) Back to phlog index
 (DIR) gopher.zcrayfish.soy gopher root
       This phlog entry has been read 243 times.
  (?)  Comments have been enabled for this post, select here to leave yours
       Comments have been left on this post:
       
       everyone should have an airgap machine for making key pairs.
       Posted Sat Jul 20 02:12:46 UTC 2019 by 104.244.74.97
       ------------------------------------------------------------------------
       I have an airgap machine for making private keys.
       Posted Sat Aug 17 01:21:24 UTC 2019 by 178.17.170.135
       ------------------------------------------------------------------------
       interesting to learn about this attack. I won't lose any sleep tho.
       Posted Sat Dec 21 22:36:06 UTC 2019 by 185.220.100.247
       ------------------------------------------------------------------------